cnet News has an article about a new type of trojan that waits until an infected user logs into their bank account and then activates to transfer money out of the account. Password stealing trojans used to be the big concern (and probably still are an important threat). However, this new bread of trojan can defeat enhanced authentication schemes (such as two-factor authentication) and similar types of security measures implemented by banks, since they don’t need to grab a password or deal with getting access to an offline security token device. They simply wait for the user to do whatever is required to log in, and then they take over the computer and carry out their dirty business. Of course, these trojans have to be programmed with the intelligence for specific banking sites.